International Association
for Cryptologic Research

This paper presents an optimized software implementation of the module-lattice-based key-encapsulation mechanism Kyber for the ARM Cortex-M4 microcontroller. Kyber is one of the round-2 candidates in the NIST post-quantum project. In the center of our work are novel optimization techniques for the number-theoretic transform (NTT) inside Kyber, which make very efficient use of the computational power offered by the “vector” DSP instructions of the target architecture. We also present results for the recently updated parameter sets of Kyber which equally benefit from our optimizations. As a result of our efforts we present software that is 18% faster than an earlier implementation of Kyber optimized for the Cortex-M4 by the Kyber submitters. Our NTT is more than twice as fast as the NTT in that software. Our software runs at about the same speed as the latest speed-optimized implementation of the other module-lattice based round-2 NIST PQC candidate Saber. However, for our Kyber software, this performance is achieved with a much smaller RAM footprint. Kyber needs less than half of the RAM of what the considerably slower RAM-optimized version of Saber uses. Our software does not make use of any secret-dependent branches or memory access and thus offers state-of-the-art protection against timing attacks

Enigma 2000 (E2K) is a cipher that updates the World War II-era Enigma Machine for the twenty-first century. Like the original Enigma, E2K is intended to be computed by an offline device; this prevents side channel attacks and eavesdropping by malware. Unlike the original Enigma, E2K uses modern cryptographic algorithms; this provides secure encryption. E2K is intended for encrypted communication between humans only, and therefore it encrypts and decrypts plaintexts and ciphertexts consisting only of the English letters A through Z plus a few other characters. E2K uses a nonce in addition to the secret key, and requires that different messages use unique nonces. E2K performs authenticated encryption, and optional header data can be included in the authentication. This paper defines the E2K encryption and decryption algorithms, analyzes E2K’s security, and describes an encryption appliance based on the Raspberry Pi computer for doing E2K encryptions and decryptions offline.

We present a new generic construction of multi-client functional encryption (MCFE) for inner products from single-input functional inner-product encryption and standard pseudorandom functions. In spite of its simplicity, the new construction supports labels, achieves security in the standard model under adaptive corruptions, and can be instantiated from the plain DDH, LWE, and Paillier assumptions. Prior to our work, the only known constructions required discrete-log-based assumptions and the random-oracle model. Since our new scheme is not compatible with the compiler from Abdalla et al. (PKC 2019) that decentralizes the generation of the functional decryption keys, we also show how to modify the latter transformation to obtain a decentralized version of our scheme with similar features.

One of Bitcoin’s core security guarantees is that, for an attacker to be able to successfully interfere with the Bitcoin network and reverse transactions, they need to control 51% of total hash power. Eyal et al., however, significantly reduces Bitcoin’s security guarantee by introducing another type of attack, called "Selfish Mining". The key idea behind selfish mining is for a miner to keep its discovered blocks private, thereby intentionally forking the chain. As a result of a selfish mining attack, even a miner with 25% of the computation power can bias the agreed chain with its blocks. After Eyal's original paper, the concept of selfish mining has been actively studied within the Bitcoin community for several years. This paper studies a fundamental problem regarding the selfish mining strategy under the existence of mining pools. For this, we propose a new attack strategy, called "Detective Mining", and show that selfish mining pool is not profitable anymore when other miners use our strategy.

Event date: 11 November 2019
Submission deadline: 28 June 2019
Notification: 14 August 2019

We have a postdoctoral position in post-quantum cryptography broadly defined. In particular, anyone interested in algorithmic and/or complexity-theoretic aspects of problems relevant in lattice-based, code-based, and multivariate cryptography is welcome to apply.

The position comes with an internationally competitive salary and generous support for travel. Moreover, there are ample opportunities to collaborate with excellent scientists both based at CQT/NUS and research visitors.

Closing date for applications: 31 October 2019

Contact: Divesh Aggarwal

Assistant Professor, NUS, and Principal Investigator, CQT (joint appointment)

divesh.aggarwal (at) gmail.com

CEA list is looking for a talented student to explore robustness and privacy of graph-neural network based approaches, by considering solutions combining randomization and homomorphic encryption. See https://gouypailler.github.io/files/phdCryptoRobust.pdf for details.

CEA background in these fields

==============================

CEA LIST has been a key leader in fully homomorphic encryption techniques https://github.com/CEA-LIST/Cingulata. In the context of FHE, machine learning applications appear as a killer application. Many key advances have yet to be considered to fully address machine learning applications using FHE technologies. Next technological barriers depend on the computational cost of the considered stage (training or inference) but the main approaches are: first to limit operators used in graph neural networks such that FHE associated computational cost is kept reasonable. Second FHE can be viewed as a building block, which could be activated in specific parts of the pipeline to ensure model or data privacy. CEA LIST is also very active in the field of randomization algorithms to ensure data privacy and robustness to adversarial attacks. Past works include PhD thesis of Anne Morvan and Rafael Pinot.

Closing date for applications: 15 June 2019

Contact: Cedric Gouy-Pailler (cedric.gouy-pailler (at) cea.fr) or Renaud Sirdey

More information: https://gouypailler.github.io/files/phdCryptoRobust.pdf

A recent NFS attack against pairings made it necessary to increase the key sizes of the most popular families of pairings : BN, BLS12, KSS16, KSS18 and BLS24. The attack applies to other families of pairings but not to all. In this paper we compute the key sizes required for more than 150 families of pairings to verify if there are any other families which are better than BN. The security estimation is not straightforward because it is not a mathematical formula, but rather one has to instantiate the Kim-Barbulescu attack by proposing polynomials and parameters.

After estimating the practical security of an extensive list of families, we compute the complexity of the optimal Ate pairing at 128 and 192 bits of security. For some of the families the optimal Ate has never been studied before. We show that a number of families of embedding degree 9, 14 and 15 are very competitive with $BN$, $BLS12$ and $KSS16$ at 128 bits of security. We identify a set of candidates for 192 bits and 256 bits of security.

This paper introduces new p^rq-based one-way functions and companion signature schemes. The new signature schemes are interesting because they do not belong to the two common design blueprints, which are the inversion of a trapdoor permutation and the Fiat-Shamir transform. In the basic signature scheme, the signer generates multiple RSA-like moduli n_i = p_i 2q_i and keeps their factors secret. The signature is a bounded-size prime whose Jacobi symbols with respect to the ni's match the message digest. The generalized signature schemes replace the Jacobi symbol with higher-power residue symbols. The case of 8th-power residue symbols is fully detailed along with an efficient implementation thereof. Given of their very unique design the proposed signature schemes seem to be overlooked missing species in the corpus of known signature algorithms

Motivated by the application of delegating computation, we revisit the design of filter permutators as a general approach to build stream ciphers that can be efficiently evaluated in a fully homomorphic manner. We first introduce improved filter permutators that allow better security analyses, instances and implementations than the previously proposed FLIP family of stream ciphers. We also put forward the similarities between these improved constructions and a popular PRG design by Goldreich. Then, we exhibit the relevant cryptographic parameters of two families of Boolean functions, direct sums of monomials and XOR-MAJ functions, which give candidates to instantiate the improved filter permutator paradigm. We develop new Boolean functions techniques to study them, and refine Goldreich's PRG locality bound for this purpose. We give an asymptotic analysis of the noise level of improved filter permutators instances using both kind of functions, and recommend them as good candidates for evaluation with a third-generation FHE scheme. Finally, we propose a methodology to evaluate the performance of such symmetric cipher designs in a FHE setting, which primarily focuses on the noise level of the symmetric ciphertexts (hence on the amount of operations on these ciphertextsthat can be homomorphically evaluated). Evaluations performed with HElib show that instances of improved filter permutators using direct sums of monomials as filter outperform all existing ciphers in the literature based on this criteria. We also discuss the (limited) overheads of these instances in terms of latency and throughput.

We show that a future adversary with access to a quantum computer, historic network traffic protected by WireGuard, and knowledge of a WireGuard user's long-term static public key can likely decrypt many of the WireGuard user's historic messages. We propose a simple, efficient alteration to the WireGuard protocol that mitigates this vulnerability, with negligible additional computational and memory costs. Our changes add zero additional bytes of data to the wire format of the WireGuard protocol. Our alteration provides transitional post-quantum security for any WireGuard user who does not publish their long-term static public key -- it should be exchanged out-of-band.

In this paper we give an efficient and compact reformulation of NIST collision estimate test given in SP-800 90B. We correct an error in the formulation of the test and show that the test statistic can be computed in a much easier way. We also propose a revised algorithm for the test based on our findings.

Along with blockchain technology, smart contracts have found intense interest in lots of practical applications. A smart contract is a mechanism involving digital assets and some parties, where the parties deposit assets into the contract and the contract redistributes the assets among the parties based on provisions of the smart contract and inputs of the parties. Recently, several smart contract systems are constructed that use zk-SNARKs to provide privacy-preserving payments and interconnections in the contracts (e.g. Hawk [IEEE S&P, 2016] and Gyges [ACM CCS, 2016]). Efficiency of such systems severely are dominated by efficiency of the underlying UC-secure zk-SNARK that is achieved using COCO framework [Kosba et al., 2015] applied on a non-UC-secure zk-SNARK. In this paper, we show that recent progresses on zk-SNARKs, allow one to simplify the structure and also improve the efficiency of both systems with a UC-secure zk-SNARK that has simpler construction and better efficiency in comparison with the currently used ones. More precisely, with minimal changes, we present a variation of Groth and Maller's zk-SNARK from Crypto 2017, and show that it achieves UC-security and has better efficiency than the ones that currently are used in Hawk and Gyges. We believe, new variation can be of independent interest.

LoRaWAN is an IoT protocol deployed worldwide. Whereas the first version 1.0 has been shown to be weak against several types of attacks, the new version 1.1 has been recently released, and aims, in particular, at providing corrections to the previous release. It introduces also a third entity, turning the original 2-party protocol into a 3-party protocol. In this paper, we provide the first security analysis of LoRaWAN 1.1 in its 3-party setting using a provable approach, and show that it suffers from several flaws. Based on the 3(S)ACCE model of Bhargavan et al., we then propose an extended framework that we use to analyse the security of LoRaWAN-like 3-party protocols, and describe a generic 3-party protocol provably secure in this extended model. We use this provable security approach to propose a slightly modified version of LoRaWAN 1.1. We show how to concretely instantiate this alternative, and formally prove its security in our extended model.

Post-quantum cryptography is an important and growing area of research due to the threat of quantum computers, as recognised by the National Institute of Standards and Technology (NIST) recent call for standardisation. Lattice-based signatures have been shown in the past to be susceptible to side-channel attacks. Falcon is a lattice-based signature candidate submitted to NIST, which has good performance but lacks in research with respect to implementation attacks and resistance. This research proposes the first fault attack analysis on Falcon and finds its lattice trapdoor sampler is as vulnerable to fault attacks as the GPV sampler used in alternative signature schemes. We simulate the post-processing component of this fault attack and achieve a 100% success rate at retrieving the private-key. This research then proposes an evaluation of countermeasures to prevent this fault attack and timing attacks on Falcon. We provide cost evaluations on the overheads of the proposed countermeasures which shows that Falcon has only up to 30% deterioration in performance of its key generation, and only 5% in its signing, compared to without countermeasures.

In the context of the excellence research project “Dependable Internet of Things in Adverse Environments” of Graz University of Technology, we offer nine new PhD positions. One of the core topics of the research of this project is information security.

Graz University of technology offers a very active research environment with more than 70 researchers on all aspects of information security.

Candidates for a PhD in information security should have experience/interest in at least one of the following fields:

* Side Channels

* Operating system security

* Software isolation techniques

* Applied Cryptography

* Formal methods

* Code analysis and compilers

For details on the position and the application process see: https://www.tugraz.at/projekte/dependablethings/jobs/

Closing date for applications: 9 June 2019

Contact: Stefan Mangard, Email: Stefan.Mangard (at) iaik.tugraz.at

More information: https://www.tugraz.at/projekte/dependablethings/jobs/

IOHK is looking for a talented, specialized cryptographic engineer to join our growing in-house cryptography team. You’ll be responsible for cryptographic implementations and their use.

You will have a good understanding of cryptography (e.g. mathematics, information theory, primitives, implementations) and the ability to deliver working implementation related to these domains. The ideal candidate should understand and follow best engineering processes and practices and should demonstrate a working knowledge of a functional programming language (preference is for Haskell), and system languages (preferably Rust or C).

Skills & Requirements:

Skills and Knowledge – - A solid understanding of cryptography: basic theory & use. System programming experience. Ability to translate specifications (e.g. cryptography research papers, RFCs) into working code. Know when and how to use basic cryptographic primitives. Can reason about complex & abstract problems

Responsibilities - Read & review cryptographic research papers and implement them as a prototype. Improve existing implementations of common cryptographic primitives and/or interface/translate them to a different programming language. Transform prototypes into production level projects. Interact and coordinate with research, engineering and product management teams

Completion of a relevant degree such as Computer Science, Software Engineering, Mathematics or a related technical discipline.

Desired competencies - We are particularly interested in at least one of them having the following profile: Familiarity and/or experience with privacy enhancing cryptographic technologies, e.g., zero-knowledge proofs and/or SNARKs, multi-party computation, and differential privacy. Functional programming experience (Preferably Scala or Haskell)

When you apply… Please include an up-to-date resume. We also strongly encourage you to include a cover letter explaining why you’re interested in working at IOHK.

Closing date for applications: 1 July 2019

Contact: David Rountree

david.rountree (at) iohk.io

More information: https://iohk.io/careers/#op-286193-specialized-cryptography-engineer-

Event date: 10 June to 14 June 2019

Cryptography, Security & Privacy Research Group at Koç University has multiple openings at every level. Accepted applicants will receive competitive scholarships including tuition waiver, housing, monthly stipend, computer, travel support, etc.

• For applying online, and questions about the application-process for M.Sc. and Ph.D. positions, visit

  https://gsse.ku.edu.tr/en/admissions/application-requirements/

  All applications must be completed online. Deadline is 7 June 2019.

• For postdoctoral researcher positions, contact Assoc. Prof. Alptekin Küpçü directly, including full CV, sample publications, a research proposal, and 2-3 reference letters sent directly by the referees.

  http://home.ku.edu.tr/~akupcu

  Dates are flexible.

Applications with missing documents will not be considered.

Closing date for applications: 15 September 2019

Contact: gsse (at) ku.edu.tr

More information: https://crypto.ku.edu.tr/work-with-us/

The Institute of Applied Mathematics (IAM), Middle East Technical University (METU) offers academic positions in Cryptography. To this aim, we invite all scholars who are interested in full-time faculty positions starting from Assistant Professor level based on the academic profile of the applicant. We encourage you to send us your information if you have a solid research history with a strong publication record in all areas of cryptography.

Members of the institute are expected to pursue a vigorous research program, attract external research funding, and contribute strongly to the institute\'s teaching program at graduate level. Interested candidates are invited to submit an application online with following documents:

- Curriculum Vitae;

- Research Statement;

- Teaching Statement;

- Name and address of three references.

Closing date for applications: 15 June 2019

More information: https://iam.metu.edu.tr/open-faculty-positions